Dial Tone

Members
  • Content count

    429
  • Joined

  • Last visited

Community Reputation

-2 Noobie

About Dial Tone

  • Rank
    SUPR3M3 31337 Mack Daddy P1MP
  • Birthday 02/26/1988
  1. Issues running hostapd

    OK so I'm trying to get ap mode working on an eee pc, using ath5k and hostapd. (Eventually it will serve content hosted on the local drive) Been running into lots of issues, so I'm taking small steps. Right now the goal is to simply get hostapd to create an AP with a given SSID... no connectivity, no encryption, nothing fancy - just the very bare functionality. However when I run hostapd I get this error: [songwhale@localhost bin]$ sudo ./hostapd /etc/hostapd.conf Configuration file: /etc/hostapd.conf Line 98: no authentication algorithms allowed 1 errors found in configuration file '/etc/hostapd.conf' Now this seems odd. The tutorial I found told me to set up the hostapd config file this way. "Just configure hostapd with auth_algs=1 (which means open system) and wpa=0 (which means no wpa encryption at all) for testing." (http://acx100.erley.org/stable.html#config-hostapd) I fail to see how telling hostapd I want an open system could give an error that I'm... using a hostapd.conf file that specifies an open system For reference, here is the hostapd.conf file: ######hostapd configuration file ############################################## # Empty lines and lines starting with # are ignored # AP netdevice name (without 'ap' postfix, i.e., wlan0 uses wlan0ap for # management frames); ath0 for madwifi interface=wlan0 # In case of madwifi driver, an additional configuration parameter, bridge, # must be used to notify hostapd if the interface is included in a bridge. This # parameter is not used with Host AP driver. #bridge=br0 # Driver interface type (hostap/wired/madwifi/prism54; default: hostap) driver=nl80211 # hostapd event logger configuration # # Two output method: syslog and stdout (only usable if not forking to # background). # # Module bitfield (ORed bitfield of modules that will be logged; -1 = all # modules): # bit 0 (1) = IEEE 802.11 # bit 1 (2) = IEEE 802.1X # bit 2 (4) = RADIUS # bit 3 (8) = WPA # bit 4 (16) = driver interface # bit 5 (32) = IAPP # # Levels (minimum value for logged events): # 0 = verbose debugging # 1 = debugging # 2 = informational messages # 3 = notification # 4 = warning # logger_syslog=-1 logger_syslog_level=2 logger_stdout=-1 logger_stdout_level=2 # Debugging: 0 = no, 1 = minimal, 2 = verbose, 3 = msg dumps, 4 = excessive debug=0 # Dump file for state information (on SIGUSR1) dump_file=/tmp/hostapd.dump # Interface for separate control program. If this is specified, hostapd # will create this directory and a UNIX domain socket for listening to requests # from external programs (CLI/GUI, etc.) for status information and # configuration. The socket file will be named based on the interface name, so # multiple hostapd processes/interfaces can be run at the same time if more # than one interface is used. # /var/run/hostapd is the recommended directory for sockets and by default, # hostapd_cli will use it when trying to connect with hostapd. ctrl_interface=/var/run/hostapd # Access control for the control interface can be configured by setting the # directory to allow only members of a group to use sockets. This way, it is # possible to run hostapd as root (since it needs to change network # configuration and open raw sockets) and still allow GUI/CLI components to be # run as non-root users. However, since the control interface can be used to # change the network configuration, this access needs to be protected in many # cases. By default, hostapd is configured to use gid 0 (root). If you # want to allow non-root users to use the contron interface, add a new group # and change this value to match with that group. Add users that should have # control interface access to this group. # # This variable can be a group name or gid. #ctrl_interface_group=wheel ctrl_interface_group=0 ##### IEEE 802.11 related configuration ####################################### # SSID to be used in IEEE 802.11 management frames ssid=songwhale # Station MAC address -based authentication # 0 = accept unless in deny list # 1 = deny unless in accept list # 2 = use external RADIUS server (accept/deny lists are searched first) macaddr_acl=0 # Accept/deny lists are read from separate files (containing list of # MAC addresses, one per line). Use absolute path name to make sure that the # files can be read on SIGHUP configuration reloads. #accept_mac_file=/etc/hostapd.accept #deny_mac_file=/etc/hostapd.deny # IEEE 802.11 specifies two authentication algorithms. hostapd can be # configured to allow both of these or only one. Open system authentication # should be used with IEEE 802.1X. # Bit fields of allowed authentication algorithms: # bit 0 = Open System Authentication # bit 1 = Shared Key Authentication (requires WEP) auth_algs=0 # Associate as a station to another AP while still acting as an AP on the same # channel. #assoc_ap_addr=00:12:34:56:78:9a ##### IEEE 802.1X-2004 related configuration ################################## # Require IEEE 802.1X authorization #ieee8021x=1 # IEEE 802.1X/EAPOL version # hostapd is implemented based on IEEE Std 802.1X-2004 which defines EAPOL # version 2. However, there are many client implementations that do not handle # the new version number correctly (they seem to drop the frames completely). # In order to make hostapd interoperate with these clients, the version number # can be set to the older version (1) with this configuration value. #eapol_version=2 # Optional displayable message sent with EAP Request-Identity. The first \0 # in this string will be converted to ASCII-0 (nul). This can be used to # separate network info (comma separated list of attribute=value pairs); see, # e.g., draft-adrangi-eap-network-discovery-07.txt. #eap_message=hello #eap_message=hello\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com # WEP rekeying (disabled if key lengths are not set or are set to 0) # Key lengths for default/broadcast and individual/unicast keys: # 5 = 40-bit WEP (also known as 64-bit WEP with 40 secret bits) # 13 = 104-bit WEP (also known as 128-bit WEP with 104 secret bits) #wep_key_len_broadcast=5 #wep_key_len_unicast=5 # Rekeying period in seconds. 0 = do not rekey (i.e., set keys only once) #wep_rekey_period=300 # EAPOL-Key index workaround (set bit7) for WinXP Supplicant (needed only if # only broadcast keys are used) eapol_key_index_workaround=0 # EAP reauthentication period in seconds (default: 3600 seconds; 0 = disable # reauthentication). #eap_reauth_period=3600 # Use PAE group address (01:80:c2:00:00:03) instead of individual target # address when sending EAPOL frames with driver=wired. This is the most common # mechanism used in wired authentication, but it also requires that the port # is only used by one station. #use_pae_group_addr=1 ##### Integrated EAP server ################################################### # Optionally, hostapd can be configured to use an integrated EAP server # to process EAP authentication locally without need for an external RADIUS # server. This functionality can be used both as a local authentication server # for IEEE 802.1X/EAPOL and as a RADIUS server for other devices. # Use integrated EAP server instead of external RADIUS authentication # server. This is also needed if hostapd is configured to act as a RADIUS # authentication server. eap_server=0 # Path for EAP server user database #eap_user_file=/etc/hostapd.eap_user # CA certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS #ca_cert=/etc/hostapd.ca.pem # Server certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS #server_cert=/etc/hostapd.server.pem # Private key matching with the server certificate for EAP-TLS/PEAP/TTLS # This may point to the same file as server_cert if both certificate and key # are included in a single file. PKCS#12 (PFX) file (.p12/.pfx) can also be # used by commenting out server_cert and specifying the PFX file as the # private_key. #private_key=/etc/hostapd.server.prv # Passphrase for private key #private_key_passwd=secret passphrase # Enable CRL verification. # Note: hostapd does not yet support CRL downloading based on CDP. Thus, a # valid CRL signed by the CA is required to be included in the ca_cert file. # This can be done by using PEM format for CA certificate and CRL and # concatenating these into one file. Whenever CRL changes, hostapd needs to be # restarted to take the new CRL into use. # 0 = do not verify CRLs (default) # 1 = check the CRL of the user certificate # 2 = check all CRLs in the certificate path #check_crl=1 # Configuration data for EAP-SIM database/authentication gateway interface. # This is a text string in implementation specific format. The example # implementation in eap_sim_db.c uses this as the file name for the GSM # authentication triplets. #eap_sim_db=/etc/hostapd.sim_db ##### IEEE 802.11f - Inter-Access Point Protocol (IAPP) ####################### # Interface to be used for IAPP broadcast packets #iapp_interface=eth0 ##### RADIUS client configuration ############################################# # for IEEE 802.1X with external Authentication Server, IEEE 802.11 # authentication with external ACL for MAC addresses, and accounting # The own IP address of the access point (used as NAS-IP-Address) own_ip_addr=127.0.0.1 # Optional NAS-Identifier string for RADIUS messages. When used, this should be # a unique to the NAS within the scope of the RADIUS server. For example, a # fully qualified domain name can be used here. #nas_identifier=ap.example.com # RADIUS authentication server #auth_server_addr=127.0.0.1 #auth_server_port=1812 #auth_server_shared_secret=secret # RADIUS accounting server #acct_server_addr=127.0.0.1 #acct_server_port=1813 #acct_server_shared_secret=secret # Secondary RADIUS servers; to be used if primary one does not reply to # RADIUS packets. These are optional and there can be more than one secondary # server listed. #auth_server_addr=127.0.0.2 #auth_server_port=1812 #auth_server_shared_secret=secret2 # #acct_server_addr=127.0.0.2 #acct_server_port=1813 #acct_server_shared_secret=secret2 # Retry interval for trying to return to the primary RADIUS server (in # seconds). RADIUS client code will automatically try to use the next server # when the current server is not replying to requests. If this interval is set, # primary server will be retried after configured amount of time even if the # currently used secondary server is still working. #radius_retry_primary_interval=600 # Interim accounting update interval # If this is set (larger than 0) and acct_server is configured, hostapd will # send interim accounting updates every N seconds. Note: if set, this overrides # possible Acct-Interim-Interval attribute in Access-Accept message. Thus, this # value should not be configured in hostapd.conf, if RADIUS server is used to # control the interim interval. # This value should not be less 600 (10 minutes) and must not be less than # 60 (1 minute). #radius_acct_interim_interval=600 ##### RADIUS authentication server configuration ############################## # hostapd can be used as a RADIUS authentication server for other hosts. This # requires that the integrated EAP authenticator is also enabled and both # authentication services are sharing the same configuration. # File name of the RADIUS clients configuration for the RADIUS server. If this # commented out, RADIUS server is disabled. #radius_server_clients=/etc/hostapd.radius_clients # The UDP port number for the RADIUS authentication server #radius_server_auth_port=1812 # Use IPv6 with RADIUS server (IPv4 will also be supported using IPv6 API) #radius_server_ipv6=1 ##### WPA/IEEE 802.11i configuration ########################################## # Enable WPA. Setting this variable configures the AP to require WPA (either # WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either # wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK. # For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys), # RADIUS authentication server must be configured, and WPA-EAP must be included # in wpa_key_mgmt. # This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0) # and/or WPA2 (full IEEE 802.11i/RSN): # bit0 = WPA # bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled) #wpa=0 # WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit # secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase # (8..63 characters) that will be converted to PSK. This conversion uses SSID # so the PSK changes when ASCII passphrase is used and the SSID is changed. # wpa_psk (dot11RSNAConfigPSKValue) # wpa_passphrase (dot11RSNAConfigPSKPassPhrase) #wpa_psk=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef #wpa_passphrase=secret passphrase # Optionally, WPA PSKs can be read from a separate text file (containing list # of (PSK,MAC address) pairs. This allows more than one PSK to be configured. # Use absolute path name to make sure that the files can be read on SIGHUP # configuration reloads. #wpa_psk_file=/etc/hostapd.wpa_psk # Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The # entries are separated with a space. # (dot11RSNAConfigAuthenticationSuitesTable) #wpa_key_mgmt=WPA-PSK WPA-EAP # Set of accepted cipher suites (encryption algorithms) for pairwise keys # (unicast packets). This is a space separated list of algorithms: # CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] # TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] # Group cipher suite (encryption algorithm for broadcast and multicast frames) # is automatically selected based on this configuration. If only CCMP is # allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise, # TKIP will be used as the group cipher. # (dot11RSNAConfigPairwiseCiphersTable) #wpa_pairwise=TKIP CCMP # Time interval for rekeying GTK (broadcast/multicast encryption keys) in # seconds. (dot11RSNAConfigGroupRekeyTime) #wpa_group_rekey=600 # Rekey GTK when any STA that possesses the current GTK is leaving the BSS. # (dot11RSNAConfigGroupRekeyStrict) #wpa_strict_rekey=1 # Time interval for rekeying GMK (master key used internally to generate GTKs # (in seconds). #wpa_gmk_rekey=86400 # Enable IEEE 802.11i/RSN/WPA2 pre-authentication. This is used to speed up # roaming be pre-authenticating IEEE 802.1X/EAP part of the full RSN # authentication and key handshake before actually associating with a new AP. # (dot11RSNAPreauthenticationEnabled) #rsn_preauth=1 # # Space separated list of interfaces from which pre-authentication frames are # accepted (e.g., 'eth0' or 'eth0 wlan0wds0'. This list should include all # interface that are used for connections to other APs. This could include # wired interfaces and WDS links. The normal wireless data interface towards # associated stations (e.g., wlan0) should not be added, since # pre-authentication is only used with APs other than the currently associated # one. #rsn_preauth_interfaces=eth0 Thanks for the help guys!
  2. locking down SSH on OSX

    I've enabled SSH on an OSX box at home so I can have a secure tunnel when I'm out and about. I made it so only a non admin account can be accessed remotely and gave it a strong password. I'd also like to change the port it operates on to avoid script kiddies scanning everyone on the subnet for an open port 22 - how would I do this? P.S. Also, how can I rate limit logon attempts (IE three strikes then ban an IP from logging in for 15 min.)
  3. caller ID spoofing: how to?

    Ah, just having a name for what I want to do will make research much easier. I'm willing to bet if there's not a post here doing this, there will be somewhere on google. Thanks.
  4. So I've been looking into caller ID spoofing. Now it seems I have three options, none of which meet all my needs. First is the orange box (IE http://artofhacking.com/files/OB-FAQ.HTM). This is of limited use since the caller ID cannot be spoofed until the person picks up the phone. Also it doesn't work if the target is on a cellular network. The link has more technical details. Next is the vermilion box. It solves the issue of needing to have the target pick up, but adds another hurdle: you need physical access so you can clip in (it's basically an orange box to do the caller ID tones, a magenta box to emulate the ring, and a beige box to hook into the victim's line: http://artofhacking.com/files/vermbox.htm) Finally there's spoofcard, which is just a phone card that adds the ability to specify your phone number: Now, I'm a bit stuck. The first two options add too many problems... the orange box doesn't really allow for SE, and the vermilion box requires physical access, which is not always feasible. The spoof card in a option, but I'd rather use an open source / self made solution, both for financial reasons and so I can learn what's going on behind the scenes (rather than just entering some info and having some company do the legwork) I suspect there must be some other way to completely fake caller ID? I've heard mentions of using Asterisk and VOIP, but nothing concrete has turned up. My background is mostly network security/cryptography, I'll admit my phreaking knowledge is a bit lacking. Does anyone know the basics of how something like this would work?
  5. installing ath9k on fc11...

    I'm trying to get my eee working as a wireless ap. For reasons I won't get into, madwifi isn't an otption. I found out I needed at least the 2.6.29 kernel to do this (They added support for it in the kernel... you use mac80211 and hostapd) I installed fedora core 11's preview release since it has that kernel, and have all the other random things I need to install installed, but when I checked lsmod, I noticed it's using the ath5k driver. How do I install/enable the ath9k driver? I googled a bit, and the closest I could find was this: http://forum.thinkpads.com/viewtopic.php?f=9&t=69217 However, it's a bit out of date. I tried following along, substituting the 2.29 files I downloaded with the ones it mentions, but it asks me to install to directories that don't exist on my Fedora 11 preview's install. Thanks for the help!
  6. DEFCON 2009

    Being social is not a problem, heh. If worse comes to worse I am going with a friend so splitting a cab is an option. I just figured it'd be better to find someone from here than a random person, who might have friends they already planned to give rides.
  7. Data Destruction

    From what I've read, the papers suggesting 35x wipes and such BS are flawed, since modern HDs have so much more data per platter. (Plus a large government with massive supercomputers trying to crack encypted data can gain a lot from known plaintext... the local cops are constrained by peer reviewed techniques that have held up in court... which usually means they run a dictionary attack, then brute force.) So it might be better to just have a cron script that runs after a condition of your choosing (remote login via SSH, amount of time passed without a password being entered etc) and zeros the drive with dd if that condition is not met.
  8. How can I send a custom HTTP get request?

    Is there a standard location that passwords are stored on IIS? (Like, the windows equivalent of /etc/passwd) My goal is get a script working that connects to a server (specified in stdin), and downloads their hash file. (I think it's a safe bet anyone using unpatched IIS probably has some user accounts with dictionary word passes)
  9. How can I send a custom HTTP get request?

    I've never used this, but you'd probably be able to get similar results out of Tamper Data, another Firefox extension. From the screenshots I grokked of LiveHTTPHeaders, it looks like manipulating a POST would be easier with Tamper Data, at the very least. If you're married to the command-line though (and good for you! You'll find it more flexible for this sort of thing) I second the the usage of "curl", as in the standalone binary... to me it's wget with more options. An (untested) example of usage for your case would be something like: curl -H "Translate: f" http://www.yourserver.com/..%c0%af/protected/protected.zip I'm not 100% sure if the shell you're using would interpret %c0%af as the Unicode character "/", but that should be an example to get you started. Apparently any unicode value works. The unicode is stripped out, then the path that remains is served _without authentication_. Whooooppsies.
  10. How can I send a custom HTTP get request?

    Maybe I should scream one's and zeros into an ethernet cable.... Probably going to go with netcat (soon as I heard the name I remembered it... probably more documentation for it that curl. Definitely easier to use)
  11. How can I send a custom HTTP get request?

    Thanks, that's awesome. Do you know of anything that works on the command line? (Probably much easier to script something that way)
  12. I have a box running IIS6 set up so I can try out this new vulnerability: http://seclists.org/fulldisclosure/2009/May/0134.html (read the pdf for details) Basically I send a malicious http get with unicode in it. The unicode is stripped out, and the file requested is served, regardless of any security considerations. Seems like a cool thing to mess with on my network. Maybe try and work out a script to grab password files or something automagically, maybe send it in to 2600 or something similar.
  13. 2.6.29 kernel rpm?

    Thanks a lot!
  14. 2.6.29 kernel rpm?

    Do you know of a good tutorial? Normally I've just gotten my packages from yum :/ I found this: http://www.howtoforge.com/kernel_compilation_fedora but everything gives errors (won't let me make the directory, says the package they say to get to build the rpm doesn't work, etc)
  15. 2.6.29 kernel rpm?

    Ok, this one project I'm working on requires the AP mode support added in 2.6.29. However my fedora install didn't come with this kernel. I have two options: compiling from source, or installing it via an rpm I haven't been able to find an rpm for that particular kernel release however, and I have no clue how to update my kernel from source. Any help is greatly appreciated.